ID.SC-4: Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations
PF v1.0 References:
Description
[csf.tools Note: Subcategories do not have detailed descriptions.]
Related Controls
NIST Special Publication 800-53 Revision 5
AU-6: Audit Record Review, Analysis, and Reporting
Review and analyze system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity] and the potential impact of the inappropriate or unusual activity; Report findings to [Assignment: organization-defined personnel or roles]; and Adjust the level of audit record review, analysis, and reporting within the system when there is a change…
CA-2: Control Assessments
Select the appropriate assessor or assessment team for the type of assessment to be conducted; Develop a control assessment plan that describes the scope of the assessment including: Controls and control enhancements under assessment; Assessment procedures to be used to determine control effectiveness; and Assessment environment, assessment team, and assessment roles and responsibilities; Ensure the…
CA-7: Continuous Monitoring
Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: Establishing the following system-level metrics to be monitored: [Assignment: organization-defined system-level metrics]; Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness; Ongoing control assessments in accordance with the continuous…
PS-7: External Personnel Security
Establish personnel security requirements, including security roles and responsibilities for external providers; Require external providers to comply with personnel security policies and procedures established by the organization; Document personnel security requirements; Require external providers to notify [Assignment: organization-defined personnel or roles] of any personnel transfers or terminations of external personnel who possess organizational credentials and/or…
SA-9: External System Services
Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: [Assignment: organization-defined controls]; Define and document organizational oversight and user roles and responsibilities with regard to external system services; and Employ the following processes, methods, and techniques to monitor control compliance by external service providers on…
SA-11: Developer Testing and Evaluation
Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to: Develop and implement a plan for ongoing security and privacy assessments; Perform [Assignment (one or more): unit, integration, system, regression] testing/evaluation [Assignment: organization-defined frequency] at [Assignment: organization-defined depth and coverage]; Produce evidence of…
Cloud Controls Matrix v3.0.1
STA-06: Supply Chain Governance Reviews
Providers shall review the risk management and governance processes of their partners so that practices are consistent and aligned to account for risks inherited from other members of that partner’s cloud supply chain.
STA-07: Supply Chain Metrics
Policies and procedures shall be implemented to ensure the consistent review of service agreements (e.g., SLAs) between providers and customers (tenants) across the relevant supply chain (upstream/downstream). Reviews shall be performed at least annually and identify any non-conformance to established agreements. The reviews should result in actions to address service-level conflicts or inconsistencies resulting from…
STA-08: Third Party Assessment
Providers shall assure reasonable information security across their information supply chain by performing an annual review. The review shall include all partners/third party-providers upon which their information supply chain depends on.
STA-09: Third Party Audits
Third-party service providers shall demonstrate compliance with information security and confidentiality, access control, service definitions, and delivery level agreements included in third-party contracts. Third-party reports, records, and services shall undergo audit and review at least annually to govern and maintain compliance with the service delivery agreements.
Critical Security Controls Version 8
15: Service Provider Management
Develop a process to evaluate service providers who hold sensitive data, or are responsible for an enterprise's critical IT platforms or processes, to ensure these providers are protecting those platforms and data appropriately.
NIST Special Publication 800-53 Revision 4
AU-2: Audit Events
The organization: Determines that the information system is capable of auditing the following events: [Assignment: organization-defined auditable events]; Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events; Provides a rationale for why the auditable events are deemed to be…
AU-6: Audit Review, Analysis, And Reporting
The organization: Reviews and analyzes information system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity]; and Reports findings to [Assignment: organization-defined personnel or roles].
AU-12: Audit Generation
The information system: Provides audit record generation capability for the auditable events defined in AU-2 a. at [Assignment: organization-defined information system components]; Allows [Assignment: organization-defined personnel or roles] to select which auditable events are to be audited by specific components of the information system; and Generates audit records for the events defined in AU-2 d.…
AU-16: Cross-Organizational Auditing
The organization employs [Assignment: organization-defined methods] for coordinating [Assignment: organization-defined audit information] among external organizations when audit information is transmitted across organizational boundaries.
PS-7: Third-Party Personnel Security
The organization: Establishes personnel security requirements including security roles and responsibilities for third-party providers; Requires third-party providers to comply with personnel security policies and procedures established by the organization; Documents personnel security requirements; Requires third-party providers to notify [Assignment: organization-defined personnel or roles] of any personnel transfers or terminations of third-party personnel who possess organizational…
SA-9: External Information System Services
The organization: Requires that providers of external information system services comply with organizational information security requirements and employ [Assignment: organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance; Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and Employs…
SA-12: Supply Chain Protection
The organization protects against supply chain threats to the information system, system component, or information system service by employing [Assignment: organization-defined security safeguards] as part of a comprehensive, defense-in-breadth information security strategy.